In the rapidly evolving world of IoT, the security of connected devices has emerged as a paramount concern. The joint research project by SRI International and the University of Cambridge, known as CHERI (Capability Hardware Enhanced RISC Instructions), is at the forefront of addressing this challenge. Funded by programs such as DARPA CRASH, MRC, SSITH, and others including UKRI and Google, CHERI aims to fundamentally redesign hardware and software for dramatically improved system security.
The essence of CHERI
CHERI extends traditional hardware Instruction-Set Architectures (ISAs) with novel architectural features, enabling fine-grained memory protection and scalable software compartmentalization. This approach is particularly beneficial for historically memory-unsafe languages like C and C++, providing robust protection against widely exploited vulnerabilities. The concept of CHERI is based on a hybrid capability architecture, blending architectural capabilities with conventional MMU-based architectures and microarchitectures, along with software stacks based on virtual memory and C/C++. This enables incremental deployment within existing ecosystems, demonstrated through extensive hardware and software prototyping.
CHERI and IoT: a security paradigm shift
- Enhanced IoT device security: CHERI’s capability-based system offers precise control over memory and processor resources in IoT devices, providing a strong defense against common cyber threats.
- Memory safety in IoT: With CHERI, IoT devices gain enhanced memory safety, crucial for devices operating autonomously in various environments.
- Affordable and scalable security: CHERI’s model addresses the need for affordable and scalable security solutions in the diverse and expansive field of IoT.
- Resilience against cyber attacks: IoT devices, often managed remotely, are vulnerable to network-based attacks. CHERI’s design inherently limits the capabilities of code, offering robust defense mechanisms.
- Compatibility with existing IoT systems: CHERI’s integration with existing RISC architectures means it can enhance IoT security without overhauling current software systems.
Development and applications
CHERI’s development has seen adaptations across various ISA designs including 64-bit MIPS, 32-bit and 64-bit RISC-V, and 64-bit Armv8-A. The project has also seen the creation of a full software stack for CHERI, adapting widely-used open-source software like Clang/LLVM, FreeBSD, and FreeRTOS. This comprehensive approach ensures that CHERI is not only a theoretical concept but a practically applicable technology in real-world scenarios.
CHERI for ARMv8-A and RISC-V
The collaboration with Arm has led to the development of an experimental CHERI-ARM processor, SoC, and evaluation board (“Morello”), aimed at academic and industrial research. Similarly, the adaptation of CHERI to the RISC-V ISAs includes multiple FPGA prototypes, demonstrating the versatility and applicability of CHERI across different hardware platforms.
Conclusion
As IoT continues to permeate every aspect of modern life, the importance of securing these interconnected devices becomes increasingly critical. CHERI represents a significant step forward in this regard, offering a sophisticated, scalable, and compatible solution for enhancing IoT security. Through its innovative approach to hardware and software design, CHERI is not just a technological advancement; it is a beacon of hope for a more secure and reliable IoT future.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.